Posts

Showing posts with the label controlled unclassified information

They’re Here! The Cybersecurity Maturity Model Certification Requirements for DoD Solicitations and Contracts Are Live. What Does This Mean for Your Organization?

  This alert serves to remind contractors of the much-ballyhooed Cybersecurity Maturity Model Certification (CMMC) and updates our previous articles on   the Department of Defense’s (DoD) proposed CMMC Program rule   and   DoD’s issuance of a new final rule , codified at Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021 (contract clause) and 252.204-7025 (solicitation provision). The new DFARS rule implements the CMMC Program’s requirements into DoD contracts over the course of a three-year phase-in period. This week, as of November 10, 2025, Phase 1 of this rule’s rollout has finally become effective, with significant implications for defense contractors. As discussed in our prior articles, the new CMMC rule will apply to defense contracts involving contractor information systems handling federal contract information (FCI) or controlled unclassified information (CUI) only . There is a significant exception for contracts solely for the acquisiti...

FAR Agenda Narrows, with CUI and OCI Rules Moving Forward

The Federal Acquisition Regulatory Council (FAR Council) released its Spring 2025 regulatory agenda as part of the government-wide  Unified Agenda of Regulatory and Deregulatory Actions , unveiling a slimmed-down list of procurement rules. In line with the Trump administration’s deregulatory priorities, t he FAR Council dropped several policy-oriented initiatives while maintaining a focus on two rules that strike at the core of procurement and information security — controlled unclassified information (CUI) and organizational conflicts of interest (OCI) . The agenda marks a narrowing compared with the Biden administration’s fall 2024 Unified Agenda, which had included more than 40 FAR-related rules. The Spring 2025 list contains fewer than half that number, reflecting what contractors and practitioners are already describing as the administration’s “one-in, ten-out” regulatory philosophy seen in  Executive Order 14192 . Rules Removed from Agenda Several rules championed by the...

DoD Finalizes Cybersecurity Maturity Model Certification Rule: What Defense Contractors Need to Know

Image
On September 10, 2025, the U.S. Department of Defense (DoD) published a  final rule  that will shake up cybersecurity compliance for DoD contractors. T he new rule formally incorporates the Cybersecurity Maturity Model Certification (CMMC) program into nearly all DoD contracts through the Defense Federal Acquisition Regulation Supplement (DFARS) . This move has far-reaching implications for employers across the defense industrial base. Quick Hits Beginning November 2025, the DoD will issue contracts requiring contractors to comply with CMMC cybersecurity standards and conduct third-party or self-assessments, depending on the sensitivity of the information they handle. In addition to achieving and maintaining the CMMC level specified in each solicitation or contract, the final rule will require contractors to flow down the appropriate requirements to subcontractors, and to document and publish the results of assessments. While the rule will be phased in over three years, emplo...